Crazy Fast Password Recovery with Hashcat

I have been playing with Hashcat a little bit today and I am just stunned on how fast it is. Hashcat is an all purpose password cracker that can run off of your GPU or your CPU. The GPU version, OCLHashcat-plus is touted as the world’s fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker.

Hashcat is a multi-threaded cracker, so if your CPU can run several threads, it will use them. But the real speed comes into play when using the horsepower of a GPU. If your GPU can run hundreds of threads, all of this power is used to break passwords.

But just how fast is it?

I took just a simple password: “fred” and fed the NTLM password hash into Hashcat. I used just the slower CPU version and the Bruteforce option. The password was recovered as soon as I hit run:

It was so fast, the estimated and elapsed time didn’t even register.

You can also use password dictionaries to use as a guideline for Hashcat. For the next test, I downloaded the “RockYou.txt” password list. This is a list of actual passwords that have been sanitized (usernames removed). I pulled 4 random plain text passwords from RockYou and converted them to Windows NTLM passwords: